Re: The art of negotiation and trust in IPSEC
From: Hans (anonymous_at_discussions.microsoft.com)
Date: Fri, 13 Feb 2004 09:56:05 -0800
Thanks for the links!
To clarify, if I have two machines that are not members of any Domain, and they have IPSEC enabled via a the security policy (client/respond) - so will the machines be able to talk IPSEC with each other?
Or do they still need to have a 3rd party (Active Directory or Cert. Auth (or preshared key)) to authenticate/validate the enpoints of the IPSEC conversation?
So what I want (in my imaginary world) is to have two machines talk IPSEC with a third party or prior knowledge of each other.
What do you think?!
Thanks much in advance for the advice and info!
----- Steven Umbach wrote: -----
The XP/W2K will not respond with secured ipsec unless it has at least the
client/respond policy enabled in security policy. Kerberos is used within a
forest as the machine authentication method for ipsec. You can easily distribute
machine certificates in an AD domain if you have an Enterprise Certificate
Authority for the domain. You can even use Group Policy to autoenroll computer
certificates in W2K. When not in a domain it becomes more difficult and involves
Web Enrollment after the offline ipsec template is enabled. See links below for
more information. --- Steve
"Hans" <email@example.com> wrote in message
> So if I have an XP machine, and it tries to communicate with a server. If
that server wants to talk IPSEC and initiates a negotiation - will the XP
machine respond and negotiate? Even if it has no explicit policies defined?
>> I guess it comes down to trust, yes?
>> You have to trust another computer to even BEGIN to negotiate, is that
>> And this is done by 1 of 3 methods (Kerberos, certificate, or shared secret).
>> Perhaps I've answered my own question. Is there an easy way to deploy
certficiates via AD or without AD (scripting, file copying deployment - or does
it have to be registerd)?
>> I suppose that's enough questions for one post.
>> Thanks in advance,